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DETECTING COMPROMISED BALLOTS 

RELATED APPLICATIONS 

This application claims the benefit of U.S. Provisional Application No. 
60/270,182 filed February 20, 2001, and is a continuation-in-part of each of U.S. 
Patent Application No. 09/534,836, filed March 24, 2000; U.S. Patent Application 
No. 09/535,927, filed March 24, 2000; and U.S. Patent Application No. 
09/816,869 filed March 24, 2001. Each of these four applications is incorporated 
by reference in its entirety. 

TECHNICAL FIELD 

The present invention is directed to the fields of election automation and 
cryptographic techniques therefor. 

BACKGROUND 

The problems of inaccuracy and inefficiency have long attended 
conventional, manually-conducted elections. While it has been widely suggested 
that computers could be used to make elections more accurate and efficient, 
computers bring with them their own pitfalls. Since electronic data is so easily 
altered, many electronic voting systems are prone to several types of failures that 
are far less likely to occur with conventional voting systems. 

One class of such failures relates to the uncertain integrity of the voter's 
computer, or other computing device. In today's networked computing 
environment, it is extremely difficult to keep any machine safe from malicious 
software. Such software is often able to remain hidden on a computer for long 
periods of time before actually performing a malicious action. In the meantime, it 
may replicate itself to other computers on the network, or computers that have 
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some minimal interaction with the network. It may even be transferred to 
computers that are not networked by way of permanent media carried by users. 

In the context of electronic secret ballot elections, this kind of malicious 
software is especially dangerous, since even when its malicious action is 
triggered, it may go undetected, and hence left to disrupt more elections in the 
future. Controlled logic and accuracy tests f L&A tests") monitor the processing 
of test ballots to determine whether a voting system is operating properly, and 
may be used in an attempt to detect malicious software present in a voter's 
computer. L&A tests are extremely difficult to conduct effectively, however, since 
it is possible that the malicious software may be able to differentiate between 
"real" and "test" ballots, and leave all "test" ballots unaffected. Since the 
requirement for ballot secrecy makes it impossible to inspect "real" ballots for 
compromise, even exhaustive L&A testing may prove futile. The problem of 
combating this threat is known as the "Client Trust Problem." 

Most existing methods for solving the Client Trust Problem have focused 
on methods to secure the voting platform, and thus provide certainty that the 
voter's computer is "clean," or "uninfected." Unfortunately, the expertise and 
ongoing diligent labor that is required to achieve an acceptable level of such 
certainty typically forces electronic voting systems into the controlled environment 
of the poll site, where the client computer systems can be maintained and 
monitored by computer and network experts. These poll site systems can still 
offer some advantages by way of ease of configuration, ease of use, efficiency of 
tabulation, and cost. However, this approach fails to deliver on the great potential 
for distributed communication that has been exploited in the world of e-commerce. 

Accordingly, a solution to the Client Trust Problem that does not require the 
voting platform to be secured against malicious software, which enables 
practically any computer system anywhere to be used as the voting platform, 
would have significant utility. 



[32462-8006US01 /SL01 3620.1 61 ] 



-2- 



12/31/01 



BRIEF DESCRIPTION OF DRAWINGS 

[0008] Figure 1 is a high-level block diagram showing a typical environment in 

which the facility operates. 
[0009] Figure 2 is a block diagram showing some of the components typically 

incorporated in at least some of the computer systems and other devices on which 

the facility executes. 

[0010] Figure 3 is a flow diagram showing steps typically performed by the facility 

in order to detect a compromised ballot. 

DETAILED DESCRIPTION 

A software facility for detecting ballots compromised by malicious programs 
("the facility") is provided. The approach employed by the facility is unique in that 
it does not make any attempt to eliminate, or prevent the existence of malicious 
software on the voting computer. Instead, it offers a cryptographically secure 
method for the voter to verify the contents of the voter's ballot as it is received at 
the vote collection center, without revealing information about the contents (ballot 
choices) to the collection center itself. That is, the vote collection center can 
confirm to the voter exactly what choices were received, without knowing what 
those choices are. Thus, the voter can detect any differences between the voter's 
/nfendecf choices, and the actual choices received at the vote collection center (as 
represented in the transmitted voted ballot digital data). Further, each election 
can choose from a flexible set of policy decisions allowing a voter to re-cast the 
voter's ballot in the case that the received choices differ from the intended 
choices. 

A. The Simplest Secret Value Confirmation Setting 

[0012] In order to understand the key cryptographic protocol that makes secret 

value confirmation possible, we first describe a simplified embodiment of the 
facility. In accordance with this embodiment, the ballot consists of a single yes or 
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no question. The challenge then is to have the voter secretly communicate the 
voter's choice - yes or no - to the vote collection center, and then further confirm 
that what was actually received at the vote collection center was exactly what the 
voter intended. In other words, if a "yes" vote was somehow changed to a "no" 
vote, or a "no" vote was somehow changed to a "yes" vote, the facility informs the 
voter of this fact. 

[0013] An electronic vote representation is used to represent the contents of the 

voter's ballot. Suitable electronic vote representations include those described in 
the patent applications identified in the related application section. 

[0014] 1 . Ballot Construction: A set of cryptographic "election parameters" are 

agreed upon by election officials in advance of the election start, and made 
publicly known by wide publication or other such means. These parameters 
include encryption group, generator, EIGamal public key, and decision encoding 
scheme. Most commonly these consist of: 

(a) The encryption group: A large prime, p. 

(b) The generator: An integer (or, technically, an integer residue 
class) geZp, which has prime multiplicative order q, with the 

property that q is a multiplicity 1 divisor of p - 1 . 

(c) The EIGamal public key: Another integer residue class, 
/2 e (g) . That is, h = g' for some integer value of s. 

(d) The decision encoding scheme: A partition of (g) into "yes", 
"no" and "invalid" group elements. That is, (g) = 5^ U U , 
where the S^.S^^S- are pain^ise disjoint subsets of (g) - the 

"yes" messages, "no" messages, and "invalid" messages 
respectively. 

[0015] However, other groups and elements can be used. In particular, the facility may 
be implemented using Elliptic Curves rather than groups. 

[0016] 2. Vote Submission: Each voter encrypts the voter's decision, "yes" or 

"no", as an EIGamal pair, [X^J^) = [g'',h'' m), where aeZ^ is chosen randomly 

by the voter, meSy if the voter wishes to choose "yes" and meS^ if the voter 
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wishes to choose "no". Any other message (i.e., meSJ is considered invalid. 

This encrypted value is what is digitally signed by the voter, and then transmitted 

to the vote collection center. For now, we will consider a simple decision 
encoding scheme in which Sy={Gy}, S„^{G„}, and 5. ={g)-{G^,G„}. 

However, with obvious small modifications, the discussion that follows applies 
equally well to more general settings. 
[0017] If the voter was computing these values himself - say with pencil and paper 

- this protocol would essentially suffice to implement a secret-ballot, universally 
verifiable election system. (Depending on the tabulation method to be used, 
some additional information, such as a voter proof of validity may be necessary.) 
Q However, since the voter only makes choices through a user interface, it is in 

y many cases unrealistic to expect him/her to check the actual value of the bits sent 

;;/J and compare them to the voter's intent. In short, malicious software can ignore 

^ voter intent and submit a "no" vote when the voter specified "yes", or submit a 

==: "yes'' vote when the voter specified "no". 

nj 

JaI B. Creating a Secret Value Confirmation 

U [0018] We differentiate two types of vote corruption, directed and undirected. 

Directed vote corruption is the act of changing a "y®s" vote to a "no" vote, or a 
"no" vote to a "yes" vote. Undirected vote corruption is the act of changing from a 
"valid" vote ("yes" or "no") to an "invalid" vote. The following steps will detect 
directed vote corruption in the simple ballot setting of the previous section. They 
rely on the intractability of the Diffie-IHeliman Problem described in A. M. Odiyzko, 
Discrete logarithms in finite fields and their cryptographic significance, Advances in 
Cryptology - EURO-CRYPT '84, Lecture Notes in Computer Science, Springer- 
Verlag, 1984. 

[0019] 1. The computer operated by voter submits the encrypted decision 

as before, optionally signing the encrypted decision using a private key of this 
voter. 
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[0020] 2. The vote collection center generates two values e and 

G randomly and independently. These values are generated on a per voter 

basis, and kept secret from all but the collection center. They may be generated 
in advance of the election. 
[0021] 3. The vote collection center computes the values 

W^=K;ff^ =i^,/2"'^'m^ (1) 
U^=h^^ (2) 
and returns them to the voter's computer. and are together known as the 

"encrypted vote confirmation." 
[0022] 4. The voter's computer, knowing the secret can compute 

WjU^' =K^m^' . It then displays this value to the voter. In some embodiments, 

the facility displays a hash of this value to the voter, rather than the value itself. 
When displaying the hash, the length of the data is generally shorter, thus 
enabling the voter to read and compare fewer characters. 
[0023] The vote collection center does not know what value is, or should be, 

displayed, since the vote data it received was strongly encrypted. However, it 
does know: 

(a) If the voter voted "yes", the value K^m^' should be displayed, 

(b) If the voter voted "no", the value K^m^' should be displayed, 

(c) If the voter voted any invalid value, a value other than these 
two should be displayed. 

[0024] 5. The voter can now check the validity of the vote received by 

contacting the vote collection center though some secure communication channel, 

such as telephone, fax, or surface mail. By sending a request containing 

(a) The voter's voter id. 

(b) Optionally, a short PIN (4-5 digits typically suffice) to prevent 
the malicious software from masquerading remotely as the 
voter. 
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the voter can obtain from the vote collection center a "confirmation dictionary" 
indicating the two possible values the voter should have seen displayed 
depending on how the voter voted, such as "If you voted yes\ your confirmation 
string should be 'xyz../ and if you voted 'no\ your confirmation string should be 
'abc....'" In some embodiments, the confirmation dictionary is supplied to the 
voter in advance of the election. For example, the unique confirmation dictionary 
for each voter could be sent through the postal mail as part of a "voter information 
packet," (Note that absentee ballots are delivered to voters through the postal 
mail.) 

[0025] 6. The voter verifies that the confirmation string the voter saw 

displayed by the voter's computer is consistent with both the voter's intended 
choice and this confirmation dictionary. 

[0026] 7. Any inconsistency indicates that some sort of unexpected behavior 

has occurred on the voter's computer, or in transmission, and corrective action 
should be taken. In many electronic voting schemes, an individual voter's ballot 
can be removed from the ballot box and resubmitted. The exact procedure for 
voter corrective action is a matter of policy, and may involve some form of voter 
protest, followed by a resubmission of the ballot in a controlled, secure 
environment. Alternatively, the voter may be allowed a few attempts from a 
remote computer before being forced to go to a controlled environment to 
resubmit. 

[0027] The essentia! cryptographic foundation of this protocol is that the voter's 

computer, or malicious software running on it, cannot (for well chosen - i.e., 
randomly chosen - and ) compute the complementary confirmation string, 

i.e., compute K^m^' from K^rriy' (or visa versa). This is because doing so 
requires computing {^m^jmy^^' (or visa versa), and the only information available 

to aid in this task is h^' . In short, the malicious software would have to solve an 
instance of the Diffie-Hellman Problem. 
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An Attack on the Previous Protocol 



[0028] As noted, malicious software cannot conduct directed vote corruption 

without the corruption being detected and later corrected. However, the basic 

version of the protocol outlined above in some cases may allow undirected vote 

corruption to go undetected as in the following scenario, 
[0029] 1. Instead of submitting {X^,Y^) as the voter intends, the voter's 

computer can submit {^X^.Y^h^'j for any chosen /eZ^. This will have the effect of 

transforming a valid vote into an invalid one. When the computer receives the 
encrypted vote confirmation, it can follow the protocol to compute K.h^^'m^ . 

^ [0030] 2. Were it to display this value, the voter would notice a problem, since 

ip it would not match the confirmation dictionary. However, since the malicious 

S software generated, and knows y, and also knows //^ from the encrypted 

^ confirmation it received, it can compute [h^' J = h''^ . By division, it can then 

W compute right value K,m^ - i.e., the one to match the voter's confirmation 

H dictionary - and display it, thereby fooling the voter. Of course, invalid votes will 

y be detected at tabulation time, but this will usually be too late for corrective action 

p to be taken. Embodiments of the facility guard against such an undirected attack 

^ by employing a voter validity proof as discussed in the next section. 

D. Counter Attack - Voter Validity Proof 

[0031] The validity proof constructed by the voter proves to the vote collection 

center that, (X^,Y^), the encrypted decision (ballot) received from voter is 

either an encryption of or an encryption of without revealing any 

information about which of these values it is. Methods for constructing validity 
proofs of this type can be found in U.S. Patent Application No. 09/535,927, as well 
as R. Cramer, I. Damgard, B. Schoenmakers, Proofs of partial knowledge and 
simplified design of witness hiding protocols, Advances in Cryptology, CRYPTO 
'94, Lecture Notes in Computer Science, pp. 174-187, Springer-Verlag, Berlin, 
1994, which is hereby incorporated by reference in its entirety. Thus, the validity 
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proof proves that the received encrypted ballot is valid, which is exactly what is 
needed to prevent the undetected, undirected vote corruption of the previous 
section. The malicious software may try an undirected vote corruption as before, 
but it will not be able to supply the required validity proof, and thus will be 
detected even before the encrypted vote confirmation is returned to the voter. As 
already noted, the secret value confirmation protocol itself detects directed vote 
corruption. 

[0032] The validity proofs can be extended to more general sets of response 

options than simple "yes/no". As a result, the facility is able to prevent the attack 
of section C in the more general case as well. The resulting protocol for the 
general case is as follows. 

[0033] 1 . Ballot Construction: The encryption group, generator, and EIGamal 

public key are all created as usual. However, the decision encoding scheme 

needs to be chosen carefully. For simplicity, let us assume that there is only one 

question on the ballot. (If there are multiple questions, the facility performs the 
steps that follow independently for each of the individual questions.) Let a^,.,.,a^ 

be the set of allowable answers. For example, these could be = 'George 

Bush\ ^2 = 'Al Gore', = 'Ralph Nader', and = 'I abstain'. Note that in this 

example, w = 4. 

[0034] The jurisdiction, or other entity responsible for creating the ballot, must 

select n elements from Z^,jj^,.,.,/j.^, independently and at random. These are 

assigned, in sequence, as the corresponding response values to each allowable 
answer, resulting the specific decision encoding scheme. In the example, this 
means that the digital blank ballot publicly specifies that 

• a vote for 'George Bush' should be submitted as [g'' ju^), 
i.e., an encryption of ju^, 

• a vote for 'Al Gore' should be submitted as [g"" ,h'' ju^), i.e., 
an encryption of ju^ , 
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• a vote for 'Ralph Nader' should be submitted as {g'' .h"" ju^) , 
i.e., an encryption of //j, 

• an abstention should be submitted as [g"" .h"" ju^), i.e., an 
encryption of //^ . 

2. Vote Submission: 

(a) The computer operated by voter submits an encrypted 
ballot on behalf of voter as before, denoted as 
(^X^J^) = (g''' .h'"' ju) for some value ju^{g) snd a^eZ^, 

(b) The computer operated by voter also constructs a validity 
proof, as indicated above, in order to prove that 
jue{ju^,...,ju^], without revealing any more information about 
its specific value. 

(c) The computer operated by voter then submits both and 
the encrypted vote, (X, ,Y^) to the vote collection center. 

(d) Before accepting the encrypted ballot, the vote collection 
center first checks the proof, P^. If verification of P^ fails, 

corruption has already been detected, and the vote collection 
center can either issue no confirmation string, or issue a 
random one. 

(e) Assuming then that verification of P^ succeeds, the vote 
collection center computes the values, and as in 
section B, steps 2 and 3, and returns these to the computer 
operated by voter . 

(f) As in section B, the computer operated by voter can 
compute C=WjU^' , and display this string (or a hash of it) 
to the voter. 

(g) As in section B, step 5, the voter can now compare the 
displayed string against the voter's confirmation dictionary 
(obtained by one of the various modes described there). In 
general, the confirmation dictionary for voter would consist 

of the following table laid out in any reasonable format: 
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where A is the election's public (i.e., published) hash 
function, and = K^juf . 

(h) Since the ju^ were chosen randomly and independently, any 

software (in particular, malicious software) can only display 
the confirmation string corresponding to the ju that was 
submitted or, obviously, an invalid confirmation string - it can 
not compute any other valid confirmation string without 
solving the Diffie-Hellman problem. Thus, if a // different 
from the one intended by the voter is submitted, the 
confirmation string displayed will not match the correct 
confirmation string in the dictionary, and the voter will be able 
to detect corruption. In the case of detected corruption, 
corrective action can be taken as described above. 

In order to more completely describe the facility, an example illustrating the 

ill operation of some of its embodiments is described hereafter. 

ii : 3 

o 




[0036] 



[32462-8006US01 /SL01 3620.1 61 ] 



-11- 



12/31/01 



The following is a detailed example of a Secret Value Confirmation ex- 
change. In order to maximize the clarity of the example, several of the basic 
parameters used - for example, the number of questions on the ballot, and 
the size of the cryptographic parameters - are much smaller than those that 
would be typically used in practice. Also, while aspects of the example ex- 
change are discussed below in a particular order, those skilled in the art will 
recognize that they may be performed in a variety of other orders. 

Some electronic election protocols include additional features, such as: 

• voter and authority certificate (public key) information for authentica- 
tion and audit 

• ballot page style parameters 

• data encoding standards 

• tabulation protocol and parameters 

As these features are independent of the Secret Value Confirmation imple- 
mentation, a detailed description of them is not included in this example. 

This example assumes an election protocol that encodes voter responses 
(answers) as a single EIGamal pair. However, from the description found 
here, it is a trivial matter to also construct a Secret Value Confirmation ex- 
change for other election protocols using EIGamal encryption for the voted 
ballot. For example, some embodiments of the facility incorporate the 
homomorphic election protocol described in U.S. Patent Application No. 
09/535,927. In that protocol, a voter response is represented by multiple 
EIGamal pairs. The confirmation dictionary used in this example is easily 
modified to either display a concatenation of the respective confirmation 
strings, or to display a hash of the sequence of them. 
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The jurisdiction must first agree on the election initialization data. This 
at least includes: the basic cryptographic nunnerical parameters, a ballot 
(i.e. a set of questions and allowable answers, etc.), and a decision encod- 
ing scheme. (It may also include additional data relevant to the particular 
election protocol being used.) 

Cryptographic Parameters 

• Group Arithmetic: Integer multiplicative modular arithmetic 

• Prime Modulus: p = 47 

• Subgroup Modulus: q^23 

• Generator: g = 2, 

• Public Key: h = g'^ where s is secret. For sake of this example, 
let us say that h = g^'^ = 7. 

Ballot 

• One Question 

- Question 1 Text: Which colors should we make 

our flag? (Select at most 1.) 

- Number of answers/choices: 4 

* Answer 1 Text: Blue 

* Answer 2 Text: Green 

* Answer 3 Text: Red 

* Answer 4 Text: / abstain 

Decision Encoding Scheme 
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Choice 


Response Value 


Blue 


9 (Ml) 


Green 


21 (M2) 


Red 


36 ifi,) 


1 abstain 


17 (/i4) 



At some point, before issuing a confirmation and before distributing the 
voter confirmation dictionaries, the ballot collection center (or agency) gen- 
erates random, independent pi and Ki for each voter, Vi. If the confirmation 
dictionary is to be sent after vote reception, these parameters can be gen- 
erated, on a voter by voter basis, immediately after each voted ballot is 
accepted. Alternatively, they can be generated in advance of the election. 
In this example, the ballot collection agency has access to these parameters 
both immediately after accepting the voted ballot, and immediately before 
sending the respective voter's confirmation dictionary. 

Sometime during the official polling time, each voter, V, obtains, and 
authenticates, the election initialization data, described above. It can be 
obtained by submitting a "ballot request" to some ballot server. Alterna- 
tively, the jurisdiction may have some convenient means to "publish" the 
election initialization data - that is, make it conveniently available to all 
voters. 

From the election initialization data, V is able to determine that the 
expected response is the standard encoding of a particular sequence of two 
distinct data elements. These are (in their precise order): 

Choice Encryption A pair of integers {X, Y) with 0 < X, r < 47 in- 
dicating (in encrypted form) the voter's choice, or answer. For the 
answer to be valid, it must be of the form, {X,Y) = (2", 7'^//), where 
0 < a < 23 and 6 {9, 21,36, 17}. 
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Proof of Validity A proof of validity showing that {X, Y) is of the form 
described in the choice encryption step above. (In this example, we 
shall see that this proof consists of 15 modular integers arranged in 
specific sequence.) 

For the sake of this example, let us assume that V wishes to cast a vote 
for "Green". 

1. V generates a G Z23 randomly. In this example, a = 5. Since the 
encoding of "Green" is 21, V's choice encryption is computed as 

{X, Y) = (2^ 7^ X 21) = (32, 24) (3) 

This pair is what should be sent to the vote collection center. The 
potential threat is that V's computer may try to alter these values. 

Voter V (or more precisely, V^'s computer) must prove that one of the 
following conditions hold 



1. {X,Y) 


= (2", 




X 


9) 


i.e. choice (vote cast) is " 


Blue" 


2. (X, Y) 


= (2^ 




X 


21) 


i.e. choice (vote cast) is 


"Green" 


3. (X, Y) 


= (2^ 


7" 


X 


36) 


i.e. choice (vote cast) is 


"Red" 


4. (X, Y) 


= (2-, 




X 


17) 


i.e. choice (vote cast) is 


"1 abstain 



for some unspecified value of a without revealing which of them actually 
does hold. 

There are a variety of standard methods that can be used to accomplish 
this. See, for example, R. Cramer, I. Damgard, B. Schoenmakers, Proofs 
of partial knowledge and simplified design of witness hiding protocols, Ad- 
vances in Cryptology - CRYPTO '94, Lecture Notes in Computer Science, 
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pp. 174-187, Springer- Verlag, Berlin, 1994. The Secret Value Confirmation 
technique used by the facility works equally well with any method that sat- 
isfies the abstract criteria of the previous paragraph. While details of one 
such validity proof method are provided below, embodiments of the facility 
may use validity proofs of types other than this one. 
Validity Proof Construction: 

(In what follows, each action or computation which V is required to 
perform is actually carried out by V's computer.) 

1. V sets = a = b. 

2. V generates uj2 Z23, ri,r:i,n &r ^23 . si,S3,S4 Z23 all ran- 
domly and independently. For this example we take 

W2 = 4 (4) 
n = 16 , rg = 17 , r4 = 21 
Si = 12 , S3 ^ 4 , S4 = 15 

3. V computes corresponding values 

ai^g^'X-'' = 2^^x32" = 4 (5) 

a2 = g'^ = 2^ = 16 

a3 = g'^^X-'^ = 2^^ X 32^^ = 6 

a4 = /^X"''^ = 2^^ X 32^ = 9 

6i = /i'-i(r/9)-^^ = 7^^ X (24/9)^1 = 18 

b2 = h'^ = 7^ = 4 

63 = hr'{Y/36y = X (24/36)^^ = 1 

64 = h'^iy/ny - 7^^ X (24/17)^ = 7 

(6) 
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4. y uses a publicly specified hash function E to compute c G Z23 as 

c^E{{X,Y,a,M)) l<^<4 (7) 

Since many choices of the hash function are possible, for this example 
we can just pick a random value, say 

c = 19. (8) 

(In practice, SHAl, or MD5, or other such standard secure hash func- 
tion may be used to compute K!) 

5. V computes the interpolating polynomial P{x) of degree 4 — 1 = 3. 
The defining properties of P are 

P(0) = c = 19 (9) 
F(l) = = 12 

P(3) = S3 = 4 

P(4) S4 = 15 
i^(a^) = Ej=o^i^"' computed using standard polynomial interpolation 
theory, to yeild: 

P(a:) = a;^ + 20x2 + 18a; + 19 (10) 

or 



20 = 19 zi = 18 
2:2 = 20 Zz = \ 



(11) 



6. K computes the values 



52 = P(2) = 5 (12) 
r2 = W2 + q;2S2 = 4 + 5x5 = 6 
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7. V's validity proof consists of the 12 numbers 

{ak,bk,rk}k=i 



(13) 



and the three numbers 

MLi (14) 

in precise sequence, {zq need not be submitted since it is computable 
from the other data elements submitted using the public hash function 
H.) 

Having computed the required choice encryption, {X^Y), and the corre- 
sponding proof of validity, V encodes these elements, in sequence, as defined 
by the standard encoding format. The resulting sequences form V's voted 
ballot. (In order to make the ballot unalterable, and indisputable, V may 
also digitally sign this voted ballot with his private signing key. The resulting 
combination of V's voted ballot, and his digital signature (more precisely, 
the standard encoding of these two elements) forms his signed voted ballot.) 
Finally, each voter transmits his (optionally signed) voted ballot back to the 
data center collecting the votes. 

As described above, the voter specific random parameters for V [p and 
K) are available at the vote collection center. In this example, these are 

= 18 K = 37 (15) 

When the voter's (optionally signed) voted ballot is received at the vote 
collection center, the following steps are executed 

1. The digital signature is checked to determine the authenticity of the 
ballot, as well as the eligibility of the voter. 

2. If the signature in step 1 verifies correctly, the vote collection center 
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then verifies the proof of validity. For the particular type of validity 
proof we have chosen to use in this exannple, this consists of 

(a) The public hash function H is used to compute the value of P(0) = 

zo = P(0) = H{{X, Y, au kjU) = 19 (16) 

(Recall that the remaining coefficients of P, ^1,^252:3, are part of 
V's (optionally signed) voted ballot submission.) 

(b) For each 1 < j < 4 both sides of the equations 

aj = g^^xf^^ (17) 

are evaluated. (Here, as described above, the fij are taken from 
the Decision Encoding Scheme.) If equality fails in any of these^ 
verification fails. This ballot is not accepted, and some arbitrary 
rejection 

string (indication) is sent back to V . 

3. Assuming that the previous steps have passed successfully, the reply 
string {W,U) is computed as 

W = Xy^^ = 37 X 24^^ = 9 (18) 

This sequenced pair is encoded as specified by the public encoding 
format, and returned to V, 

4. y's computer calculates 

= 9/(42)^ = 18 (19) 
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and displays this string to V, (Alternatively, the protocol may specify 
that a public hash function is computed on C and the resulting hash 
value displayed. In this example, C, itself is displayed.) If V's computer 
attempted to submit a choice other than ''Green", the value of C 
computed above would be different. Moreover, the correct value of 
C can not be computed from an incorrect one without solving the 
Diffie-Hellman problem. (For the small values of ^ and q we have used 
here, this is possible, however, for 'Veal" cryptographic parameters, 
V's computer would unable to do this.) Thus, if V's computer has 
submitted an encrypted ballot which does not correspond to V's choice, 
there are only two things it can do at the point it is expected to display 
a confirmation. It can display something, or it can display nothing. In 
the case that nothing is displayed, V may take this as indication that 
the ballot was corrupted. In the case that something is displayed, what 
is displayed will almost certainly be wrong, and again, V may take this 
as indication that the ballot was corrupted. 

5. V now compares the value of C displayed to the value found in V's con- 
firmation dictionary corresponding to the choice, "Green" (V^'s intended 
choice). At this point, V may have already received his confirmation 
dictionary in advance, or may obtain a copy through any independent 
channel. An example of such a channel would be to use a fax machine. 
If the displayed value does not match the corresponding confirmation 
string in the confirmation dictionary, corruption is detected, and the 
ballot can be "recast" in accordance with election specific policy. 

Each voter confirmation dictionary is computed by the vote collection 
center, since, as described above, it is the entity which has knowledge of the 
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voter specific values of a and K, For the case of the voter, V, 
been considering, the dictionary is computed as 



Choice Confirmation String 



"Blue" 


Ci = Kfi^l = 37 X = 16 


"Green" 


C2 = Kn^2 = 37 X 21^^ = 18 


"Red" 


C3 = KfJl = 37 X 36^^ = 36 


"1 abstain" 


C4 = KiJi = 37 X 171^ = 8 
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[0037] Figures 1-3 illustrate certain aspects of the facility. Figure 1 is a high-level 

block diagram showing a typical environment in which the facility operates. The 
block diagram shows several voter computer systems 110, each of which may be 
used by a voter to submit a ballot and verify its uncorrupted receipt. Each of the 
voter computer systems are connected via the Internet 120 to a vote collection 
center computer system 150. Those skilled in the art will recognize that voter 
computer systems could be connected to the vote collection center computer 
system by networks other than the Internet, however. The facility transmits ballots 
from the voter computer systems to the vote collection center computer system, 
which returns an encrypted vote confirmation. In each voter computer system, the 
facility uses this encrypted vote confirmation to determine whether the submitted 
ballot has been corrupted. While preferred embodiments are described in terms 
in the environment described above, those skilled in the art will appreciate that 
the facility may be implemented in a variety of other environments including a 
single, monolithic computer system, as well as various other combinations of 
computer systems or similar devices connected in various ways. 

[0038] Figure 2 is a block diagram showing some of the components typically 

incorporated in at least some of the computer systems and other devices on which 
the facility executes, such as computer systems 110 and 130. These computer 
systems and devices 200 may include one or more central processing units 
("CPUs") 201 for executing computer programs; a computer memory 202 for 
storing programs and data while they are being used; a persistent storage device 
203, such as a hard drive for persistently storing programs and data; a computer- 
readable media drive 204, such as a CD-ROM drive, for reading programs and 
data stored on a computer-readable medium; and a network connection 205 for 
connecting the computer system to other computer systems, such as via the 
Internet. While computer systems configured as described above are preferably 
used to support the operation of the facility, those skilled in the art will appreciate 
that the facility may be implemented using devices of various types and 
configurations, and having various components. 
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[0039] Figure 3 is a flow diagram showing steps typically performed by the facility 

in order to detect a compromised ballot. Those skilled in the art will appreciate 
that the facility may perform a set of steps that diverges from those shown, 
including proper supersets and subsets of these steps, reorderings of these steps, 
and steps of sets in which performance of certain steps by other computing 
devices. 

[0040] In step 301, on the voter computer system, the facility encodes a ballot 

choice selected by the voter in order to form a ballot. In step 302, the facility 
encrypts this ballot. In some embodiments, the encrypted ballot is an EIGamal 
pair, generated using an election public key and a secret maintained on the voter 
computer system. In step 303, the facility optionally signs the ballot with a private 
key belonging to the voter. In step 304, the facility constructs a validity proof that 
demonstrates that the encrypted ballot is the encryption of a ballot in which a valid 
ballot choice is selected. In step 305, the facility transmits the encrypted, signed 
ballot and the validity proof to a vote collection center computer system. 

[0041] In step 321, the facility receives this transmission in the vote collection 

center conrvputer system. In step 322, the facility verifies the received validity 
proof. In step 323, if the validity proof is successfully verified, then the facility 
continues with 324, else the facility does not continue in step 324. In step 324, 
the facility generates an encrypted confirmation of the encrypted ballot. The 
facility does so without decrypting the ballot, which is typically not possible in the 
vote collection center computer system, where the secret used to encrypt the 
ballot is not available. In step 325, the facility transmits the encrypted 
confirmation 331 to the voter computer system. 

[0042] In step 341, the facility receives the encrypted vote confirmation in the 

voter computer system. In step 342, the facility uses the secret maintained on the 
voter computer system to decrypt the encrypted vote confirmation. In step 343, 
the facility displays the decrypted vote confirmation for viewing by the user. In 
step 344, if the displayed vote confirmation is translated to the ballot choice 
selected by the voter by a confirmation dictionary in the voter's possession, then 
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the facility continues in step 345, else the facility continues in step 346. In step 
345, the facility determines that the voter's ballot is not corrupted, whereas, in 
step 346, the facility determines that the voter's ballot is corrupted. In this event, 
embodiments of the facility assist the user in revoking and resubmitting the voter's 
ballot. 

It will be appreciated by those skilled in the art that the above-described 
facility may be straightforwardly adapted or extended in various ways. While the 
foregoing description makes reference to preferred embodiments, the scope of 
the invention is defined solely by the claims that follow and the elements recited 
therein. 



[32462-8006US01 /SL01 3620. 1 61 ] 



-24- 



12/31/Ot 



